Malicious program detection based on pattern (e.g., string, expressions) matching may be easily bypassed. Malicious program detection using heuristics may result in false positives and/or false negatives as the detection itself is usually an indicator of suspiciousness, not maliciousness. Malicious program detection using execution of code to perform unpacking may be evaded, such as based on the malicious program's use of user parameters as function names or use of encryption methods to decrypt the malicious program only if a correct decryption key is provided. A more resilient tool for detecting malicious programs is desirable.